Defending Against Human-Operated Ransomware Attacks

Additional resources

A Practical Approach to ESA Implementation at Small and Medium Enterprises

SMEs can establish an enterprise security architecture by taking a step-by-step approach emphasizing practical strategies.

Securing the Welcome: How I Transformed Onboarding into a Business-Driven Cybersecurity Strategy

Jeff Wade shares how to transform a cybersecurity onboarding program by starting early, reinforcing often, and shaping behaviors through clarity.

AAISM—Advanced in AI Security Management

For CISM and CISSP holders with experience in AI security, ISACA Advanced in AI Security Management enhances skills to identify, assess and mitigate risk across enterprise AI solutions.

Cybersecurity Awareness Resources

ISACA offers Information Cybersecurity resources across audit & assurance, governance, enterprise, information security, and risk topics.

Following on from our earlier ISACA Journal article, let’s explore how organizations can benefit from leveraging Secure By Design. Let us start off with a very short mock Service Catalogue before using ransomware as a means of bringing it to life. The purpose of a service catalogue is to provide a comprehensive view of all available services, their interrelationships and performance commitments.

Mock ESA Service Catalogue

1. Managed Security Services
   • Automated Endpoint Management
   • Endpoint Detection and Response (EDR)
   • Automated Attack Disruption
2. Governance, Risk, and Compliance (GRC)
   • Security Awareness Training
   • Threat Intelligence Updates
   • Compliance Audits
3. Identity and Access Management (IAM)
   • Multi-Factor Authentication (MFA)
   • Access Control Audits
   • Incident Response and Remediation
4. Cloud Security
   • Real-Time Monitoring and Alerting
   • Automated Restoration Services
   • Cloud Configuration Management
5. Data Security and Privacy
   • Vulnerability Assessments
   • Secure Backup Solutions
   • Data Encryption Services

To effectively defend against human-operated ransomware attacks, we can categorize the key capabilities into themes such as Reduced Attack Surface, Enhanced Detection, Effective Response and Robust Recovery. Aligning these themes with the Enterprise Security Architecture (ESA) service catalogue will help create a comprehensive security strategy.

Reduced Attack Surface

Reducing the attack surface involves minimizing vulnerabilities and entry points that attackers can exploit. Automated Endpoint Management ensures all systems are patched and up to date to reduce vulnerabilities. This capability can be integrated into Managed Security Services, which provide automated updates and patch management to keep systems secure. Security Awareness Training educates users about phishing and social engineering threats to prevent successful attacks.

This can be part of Governance, Risk, and Compliance (GRC) services, offering training programs and workshops to enhance user awareness. Additionally, vulnerability scanning regularly identifies and closes exploitable gaps. This can be included in data security and privacy services, providing vulnerability assessments and penetration testing to proactively address potential security issues.

Enhanced Detection

Enhanced detection focuses on identifying threats as early as possible to mitigate damage. Real-time monitoring and alerting detect abnormal activity across systems in real-time. This capability can be integrated into cloud security services, offering continuous monitoring and advanced analytics to quickly identify and respond to threats. Endpoint Detection and Response (EDR) solutions isolate infected devices to prevent the spread of ransomware. This fits well within Managed Security Services, providing rapid detection and containment of threats to minimize impact. Threat Intelligence helps stay ahead of emerging attack patterns with up-to-date information. This can be included in GRC services, offering threat intelligence updates to keep organizations informed about the latest threats and vulnerabilities.

Effective Response

Effective response involves quickly and efficiently addressing security incidents to minimize impact. Automated Attack Disruption uses tools like Microsoft Defender XDR to automatically detect and stop malicious activities. This capability fits within Managed Security Services, providing automated attack disruption

tools to swiftly neutralize threats. Incident Investigation and Remediation thoroughly investigate alerts and treat all malware infections as potential full compromises. This can be included in Identity and Access Management (IAM) services, offering incident response and remediation to ensure thorough investigation and resolution of security incidents. Credential hygiene implements strong credential management practices to prevent attackers from gaining access. This fits within IAM services, providing multi-factor authentication and access control audits to enhance security.

Robust Recovery

Robust recovery ensures that systems can quickly bounce back from attacks with minimal downtime and data loss. Secure backups ensure recovery points are protected and cannot be altered or encrypted by attackers. This capability aligns with Data Security and Privacy services, providing secure backup solutions to safeguard data. Automated restoration enables rapid system rollback to minimize downtime and data loss. This fits within Cloud Security Services, offering automated restoration to quickly recover from ransomware attacks and restore normal operations. By categorizing these capabilities into themes and aligning them with the capabilities in an Enterprise Security Architecture service catalogue, organizations can build a resilient and comprehensive security strategy that effectively defends against human-operated ransomware attacks.